lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YEk/qNwCkL63CYFy@kernel.org>
Date:   Wed, 10 Mar 2021 23:52:40 +0200
From:   Jarkko Sakkinen <jarkko@...nel.org>
To:     Sean Christopherson <seanjc@...gle.com>
Cc:     Dave Hansen <dave.hansen@...el.com>, linux-sgx@...r.kernel.org,
        stable@...r.kernel.org, Dave Hansen <dave.hansen@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
        Jethro Beekman <jethro@...tanix.com>,
        Serge Ayoun <serge.ayoun@...el.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 1/5] x86/sgx: Fix a resource leak in sgx_init()

On Wed, Mar 10, 2021 at 07:49:29AM -0800, Sean Christopherson wrote:
> On Wed, Mar 10, 2021, Jarkko Sakkinen wrote:
> > On Wed, Mar 03, 2021 at 08:56:52AM -0800, Dave Hansen wrote:
> > > On 3/3/21 7:03 AM, Jarkko Sakkinen wrote:
> > > > If sgx_page_cache_init() fails in the middle, a trivial return
> > > > statement causes unused memory and virtual address space reserved for
> > > > the EPC section, not freed. Fix this by using the same rollback, as
> > > > when sgx_page_reclaimer_init() fails.
> > > ...
> > > > @@ -708,8 +708,10 @@ static int __init sgx_init(void)
> > > >  	if (!cpu_feature_enabled(X86_FEATURE_SGX))
> > > >  		return -ENODEV;
> > > >  
> > > > -	if (!sgx_page_cache_init())
> > > > -		return -ENOMEM;
> > > > +	if (!sgx_page_cache_init()) {
> > > > +		ret = -ENOMEM;
> > > > +		goto err_page_cache;
> > > > +	}
> > > 
> > > 
> > > Currently, the only way sgx_page_cache_init() can fail is in the case
> > > that there are no sections:
> > > 
> > >         if (!sgx_nr_epc_sections) {
> > >                 pr_err("There are zero EPC sections.\n");
> > >                 return false;
> > >         }
> > > 
> > > That only happened if all sgx_setup_epc_section() calls failed.
> > > sgx_setup_epc_section() never both allocates memory with vmalloc for
> > > section->pages *and* fails.  If sgx_setup_epc_section() has a successful
> > > memremap() but a failed vmalloc(), it cleans up with memunmap().
> > > 
> > > In other words, I see how this _looks_ like a memory leak from
> > > sgx_init(), but I don't see an actual leak in practice.
> > > 
> > > Am I missing something?
> > 
> > In sgx_setup_epc_section():
> > 
> > 
> > 	section->pages = vmalloc(nr_pages * sizeof(struct sgx_epc_page));
> > 	if (!section->pages) {
> > 		memunmap(section->virt_addr);
> > 		return false;
> > 	}
> > 
> > I.e. this rollback does not happen without this fix applied:
> > 
> > 	for (i = 0; i < sgx_nr_epc_sections; i++) {
> > 		vfree(sgx_epc_sections[i].pages);
> > 		memunmap(sgx_epc_sections[i].virt_addr);
> > 	}
> 
> Dave is pointing out that sgx_page_cache_init() fails if and only if _all_
> sections fail sgx_setup_epc_section(), and if all sections fail then
> sgx_nr_epc_sections is '0' and the above is a nop.
> 
> That behavior is by design, as we didn't want to kill SGX if a single section
> failed to initialize for whatever reason.

My bad. You're correct. I got mixed up by the rollback :-) Thanks!

I'll just drop the whole patch.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ